Hi,
I am an almost happy Zimbra user for almost 10 years now, currently running Zimbra 8.8.15_GA_4232 (build 20220204072400) on CentOs 7. I am using an Let's Encrypt certificate.
This week i've switched phones and I can't get the iphone connecting to IMAP on port 993. CalDav and CardDav are already working and no problem.
My previous android phone had no problems at all.
In the /opt/zimbra/log/nginx.log these messages appear when trying to connect from the iPhone 12:
Code: Select all
2022/03/24 22:50:46 [info] 27748#0: *70549 client 188.207.72.119:10252 connected to 192.168.0.169:993
2022/03/24 22:50:46 [info] 27748#0: *70549 SSL_do_handshake() failed (SSL: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:SSL alert number 46) while SSL handshaking, client: 188.207.72.119:10252, server: 192.168.0.169:993
openssl s_client -showcerts -connect <domain>:993 -servername <domain> show the right certificate.
Code: Select all
openssl s_client -showcerts -connect <domain>:993 -servername <domain>
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = <domain>
verify return:1
---
Certificate chain
0 s:/CN=<domain>
i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
1 s:/CN=<domain>
i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
2 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
3 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=<domain>
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6170 bytes and written 436 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 339882E778D8F1636DE4294DCCC731827F1F40F6ECA11B810567464277224D20
Session-ID-ctx:
Master-Key: <master-key>
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - c5 71 63 28 e7 4b b6 79-4d 04 7d c2 ee bc 8a 39 .qc(.K.yM.}....9
0010 - 0b 7c d9 49 2a 39 ef bb-9e 1a d1 2c 13 56 57 4f .|.I*9.....,.VWO
0020 - bb ca 9f 55 07 82 59 65-3c d0 68 10 79 ea 3d 15 ...U..Ye<.h.y.=.
0030 - a2 4c dd 7d b9 ab f9 62-b5 35 eb e6 43 bd 67 3a .L.}...b.5..C.g:
0040 - 72 32 a3 09 fd 96 d3 1b-96 6d 3d 3a 7d c5 8d 4e r2.......m=:}..N
0050 - ae 52 97 81 87 18 8e f3-41 23 3d 93 25 14 09 f6 .R......A#=.%...
0060 - 62 26 bc f1 28 0e 07 69-9f f5 49 68 9e e5 36 c2 b&..(..i..Ih..6.
0070 - e2 91 d3 7d cb aa 27 ef-1c db 69 ee f2 89 49 42 ...}..'...i...IB
0080 - 28 a0 e5 32 7e cb e7 2c-46 d6 7c 9f 3c e3 20 86 (..2~..,F.|.<. .
0090 - cb f4 bf 70 9a ad e2 29-cb 35 20 ae e4 79 a3 70 ...p...).5 ..y.p
00a0 - 98 b4 c9 c4 91 cc 16 ae-3b 1b ea dd b8 26 11 3c ........;....&.<
Start Time: 1648156860
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK IMAP4rev1 proxy server ready
read:errno=0
Login:
Code: Select all
tag login <username> <password>
tag OK [CAPABILITY IMAP4rev1 ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT I18NLEVEL=1 ID IDLE LIST-EXTENDED LIST-STATUS LITERAL+ LOGIN-REFERRALS MULTIAPPEND NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN XLIST] LOGIN completed
nginx.log:
Code: Select all
2022/03/24 23:04:58 [info] 27747#0: *70585 client <ip_address>:51508 connected to 192.168.0.169:993
2022/03/24 23:05:47 [info] 27747#0: *70585 client logged in, client: <ip_address>:51508, server: 192.168.0.169:993, login: "<username>", upstream: 192.168.0.169:7993 (<ip_address>:51508->192.168.0.169:993) <=> (192.168.0.169:33334->192.168.0.169:7993)
Any help would be really appreciated!
Thanks!